Linux is not immune to malware or rootkits. In fact, exploit kits for these that target Linux are being sold. I ran across an article about that on BBC the other day but unfortunately I didn’t bookmark it.

An acquaintance of mine observed that a pup booting from a CD/DVD was a very secure OS, but in her opinion left something to be desired. She would prefer a ‘regular’ computer. Carrying around a separate disc or stick is not her idea of a OS, and ‘why couldn’t a normal computer be made as iron-clad as one booted from a CD?’

Good question.

We tossed around a few ideas and made some observations.
Puppy booted from CD/DVD has theses advantages:
It is immune to rootkits.
The base OS can not be compromised, except via a saved session or save file.

How could a regular kit, booted from the hard drive, implement the same features?
Things to consider:
The OS must be easy to update, so no immutable files.
The browser and email client must be updated regularly, along with some other applications.
Emails, documents and other personal files must be preserved.

Boot & set up a frugal Puppy on a clean system (not connected to LAN or internet).
Set root password and computer name.
symlink ~/ browser and email files to /mnt/home/xx
Set browser to download to /mnt/home/yy
Install core apps from local copies, move to /mnt/home/zz and symlink back.
An alternative to storing apps and data on /mnt/home/xyz could be to use sfs files mounted rw at boot.

Operation
Do periodic md5sum checks of system files at runtime.
At every shutdown, after all apps are killed and partitions unmounted:
Perform a final md5sum.
If anything is dubious, then from obscured onboard backup files,
Overwrite the mbr and partition table (dd).
Overwrite the Puppy system files and pupsave.
Overwrite /boot.
Shutdown.

We would like to hear the thoughts of other forum members about this. How could the recipe be improved? Any pitfalls to look out for?_________________﻿Last edited by 2byte on Sat 03 Dec 2011, 17:58; edited 1 time in total

I would only do that if I were going to boot from a network. Because what do you do if the computer's hard disk craters? (Which it will, trust me, and at the worst possible moment.) You won't be able to boot from a repair CD or from a plain Puppy CD to at least use the computer.

I wouldn't bother with the overwrites at the end. Instead, get checksums and compare with known good values (that you've stored previously). In fact checking checksums in the background after boot wouldn't be a bad idea. That way you won't bork things if power goes down in the middle of a write. Probably faster too.

I'll be interested to see the scripts you come up with. I run an encrypted pupsave and a truecrypt volume for my personal data, but I always intended at some point (never got around to it) to kick off a low priority background task in rc.local to verify the checksums of the non-encrypted pieces like the puppy sfs, just to be paranoid about stuff like trojans and key loggers.

I also boot off flash drive and carry this around when I'm not home so it's pretty secure I imagine, but it doesn't hurt to add more security to the picture.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum